Ddos 
In a deep dive published by Guy Bruneau, Senior Security Consultant and former network engineer, the lingering dangers of a years-old Cisco vulnerability—CVE-2018-0171—are laid bare with fresh insights and real-world testing. Despite being disclosed seven years ago, the Smart Install Remote Code Execution (RCE) flaw remains active in the wild, with over 1,200 Cisco devices still exposing the vulnerable service to the internet.
“Doing a cursory search on Censys for this port and the service name associated with Cisco Smart Install (SMI) pulled up 1,239 devices with this service publicly accessible.”
He fired up outdated Cisco hardware, loaded up an open-source exploit tool, and demonstrated how simple it still is for a determined threat actor to exfiltrate sensitive network configurations.
Smart Install is a Cisco feature designed to automate initial configurations for new network devices, allowing them to “plug and play” into infrastructure without direct administrator intervention.
While convenient, the feature is enabled by default, requires no authentication, and often remains publicly accessible on port 4786.
“This is not to say that all 1,239 of these devices are vulnerable… this simply illustrates the prevalence of publicly accessible devices running the Smart Install service.”
CVE-2018-0171 specifically allows attackers to send malformed Smart Install packets that bypass validation and execute arbitrary commands—without needing credentials.
Bruneau used a Cisco Catalyst 3750 switch running IOS 12.2(55)SE11—a firmware version known to be vulnerable. He leveraged the Smart Install Exploitation Tool (SIET), which includes a suite of functions to:
- Initiate connections to targets (conn_with_client)
- Send malicious configuration commands (change_tftp)
- Pull device settings and copy files via TFTP
With just a few flags, he successfully:
- Copied the device’s running config to flash memory.
- Transferred the file over TFTP to his local machine.
- Carved and analyzed the config in Wireshark.
“After running the attack and successfully pulling back the configuration of the Cisco 3750, I stopped the packet capture… the TFTP file transfer begins and… it is possible to see the entire running configuration of the 3750 in the data portion.”
Inside the exfiltrated config file, Bruneau identified Type 7 encrypted passwords for administrator accounts (privilege 15). These passwords use a weak Vigenère cipher with a publicly known key.
“There are several websites, GitHub tools, and offensive platforms… that can crack these passwords immediately.”
With cracked credentials in hand, a threat actor could:
- Log in via SSH (if exposed)
- Use legitimate access to stay under the radar
- Avoid detection by not creating new accounts
While CVE-2018-0171 is not new, its continued exploitation stems from poor patching and insecure defaults. Bruneau’s research highlights essential steps for network defenders:
- Disable Smart Install (no vstack)
- Update Cisco IOS firmware via Cisco’s Software Checker
- Use ACLs to restrict access to port 4786
- Avoid Type 7 passwords — use more secure hashing
- Monitor configuration changes and TFTP traffic
Related Posts:
- Cisco releases patch to fix three high security bugs
- Hackers use Cisco Router flaws to attack Iran, 3,500 routers hacked
- Cisco Smart Install Protocol was misused, tens of thousands of critical infrastructure may be attacked
About The Author
